Since yesterday all admin accounts on my moodle suddenly started to have login problems, when i verified the VPS where it was installed the antivirus software catched some files on the moodle, the all are either lock.php or cloud.php on different folders on the installation, like this:
/moodle/auth/userkey/cloud.php
/moodle/lib/editor/atto/plugins/c4l/lock.php
/moodle/dataformat/xml/cloud.php
i can't find those files on the old moodle backup that i have, it seems that those files just showed in the moodle directory yesterday, its my moodle beign hacked? what is happening?
i'm currently making a backup of my moodle to check if its everthing ok on my local server, however i'm afraid to use this version because of the suspicious files.
i downloaded the new version of moodle to see if it has those files, i didn't found them.
i downloaded my moodle backup and my antivirus software also cautch those lock.php files as viruses, it says that it was infected with PHP:Shell-GH [trj]
I was able to get a look on the code from one of those lock.php files on my moodle before the antivirus get rid of it
its code look like this:
